Solving multivariate polynomial systems and an invariant from commutative algebra

The complexity of computing the solutions of a system of multivariate polynomial equations by means of Gr\"obner bases computations is upper bounded by a function of the solving degree. In this paper, we discuss how to rigorously estimate the solving degree of a system, focusing on systems arising within public-key cryptography. In particular, we show that it is upper bounded by, and often equal to, the Castelnuovo Mumford regularity of the ideal generated by the homogenization of the equations of the system, or by the equations themselves in case they are homogeneous. We discuss the underlying commutative algebra and clarify under which assumptions the commonly used results hold. In particular, we discuss the assumption of being in generic coordinates (often required for bounds obtained following this type of approach) and prove that systems that contain the field equations or their fake Weil descent are in generic coordinates. We also compare the notion of solving degree with that of degree of regularity, which is commonly used in the literature. We complement the paper with some examples of bounds obtained following the strategy that we describe

Застосування швидкого перетворення Фур’є для розв’язання задачі LPN над скінченними фробеніусовими кільцями

The LPN problem is one of the most famous hard computational problems. In the most general formulation, it consists in solving a system of linear equations corrupted by noise over an arbitrary finite ring and includes, as a special case, the problem of decoding a random linear code over a finite field. Numerous (both symmetric and asymmetric) cryptosystems and protocols, which resistance relies on the complexity of solving the LPN problem are known. Therefore, the development of more efficient algorithms for solving this problem, in comparison with known algorithms, is an actual direction of modern cryptology. The most reliable (and most time-consuming) method for solving the LPN problem is the maximum likelihood method. It is well known that for systems of linear equations corrupted by noise over a finite field or a residue ring modulo power of two the complexity of this method can be reduced by applying algorithms for the fast Fourier transform. At the same time the question of how wide is the class of finite rings with this property remains open. In this paper we show that this is the class of finite Frobenius rings. This class is very extensive and includes, in particular, any (left or right) principal ideal ring. The obtained results indicate that it is possible to apply algorithms for the fast Fourier transform, well known for the case of a finite field or a residue ring modulo power of two, to the solving the LPN problem over an arbitrary finite Frobenius ring. This makes to significantly reduce the complexity of solving this problem by the maximum likelihood method.Задача LPN является одной из самых известных вычислительно трудных задач. В наиболее общей постановке она состоит в решении системы линейных уравнений с искаженными правыми частями над произвольным конечным кольцом и включает в себя, в качестве частного случая, задачу декодирования случайного линейного кода над конечным полем. Известны (как симметричные, так и асимметричные) криптосистемы и протоколы, стойкость которых базируется на сложности решения задачи LPN. Поэтому разработка более эффективных, по сравнению с известными, алгоритмов решения этой задачи является актуальным направлением современной криптологии. Наиболее надежным (и наиболее трудоемким) методом решения задачи LPN является метод максимума правдоподобия. Известно, что для систем линейных уравнений с искаженными правыми частями над конечным полем или кольцом вычетов по модулю степени двойки можно уменьшить трудоемкость этого метода, применяя алгоритмы быстрого преобразования Фурье. Вместе с тем, вопрос о том, насколько широким является класс конечных колец с указанным свойством остается открытым. В данной статье показано, что таким является класс конечных фробениусовых колец. Этот класс очень обширный и включает в себя, в частности, любые кольца главных (левых или правых) идеалов. Полученные результаты свидетельствуют о том, что при решении задачи LPN над произвольным конечным фробениусовым кольцом можно применять алгоритмы быстрого преобразования Фурье, хорошо известные для случая конечного поля или кольца вычетов по модулю степени двойки. Это дает возможность заметно уменьшить трудоемкость решения указанной задачи методом максимума правдоподобия.Задача LPN є однією з найвідоміших обчислювально складних задач. В найбільш загальному формулюванні вона полягає в розв’язанні системи лінійних рівнянь зі спотворенимим правими частинами над довільним скінченним кільцем і включає в себе, як окремий випадок, задачу декодування випадкового лінійного коду над скінченним полем. На сьогодні відомі (як симетричні, так і асиметричні) криптосистеми і протоколи, стійкість яких базується на складності розв’язання задачі LPN. Тому розробка більш ефективних, в порівнянні з відомими, алгоритмів вирішення цієї задачі є актуальним напрямом сучасної криптології. Найнадійнішим (та найбільш трудомістким) методом розв’язання задачі LPN є метод максимуму правдоподібності. Відомо, що для систем лінійних рівнянь зі спотвореними правими частинами над скінченним полем або кільцем лишків за модулем степеня двійки можна зменшити трудомісткість цього методу, використовуючи алгоритми швидкого перетворення Фур’є. Поряд з тим, питання про те, наскільки широким є клас скінченних кілець із зазначеною властивістю є на сьогодні відкритим. В даній статті показано, що таким є клас скінченних фробеніусових кілець. Цей клас є дуже потужним і включає в себе, зокрема, будь-які кільця головних (лівих чи правих) ідеалів. Отримані результати свідчать про те, що при розв’язанні задачі LPN над довільним скінченним фробеніусовим кільцем можна використовувати алгоритми швидкого перетворення Фур’є, добре відомі для випадку скінченного поля або кільця лишків за модулем степеня двійки. Це надає можливість помітно зменшити трудомісткість розв’язання цієї задачі методом максимуму правдоподібності.

Efficient quantum processing of ideals in finite rings

Suppose we are given black-box access to a finite ring R, and a list of generators for an ideal I in R. We show how to find an additive basis representation for I in poly(log |R|) time. This generalizes a recent quantum algorithm of Arvind et al. which finds a basis representation for R itself. We then show that our algorithm is a useful primitive allowing quantum computers to rapidly solve a wide variety of problems regarding finite rings. In particular we show how to test whether two ideals are identical, find their intersection, find their quotient, prove whether a given ring element belongs to a given ideal, prove whether a given element is a unit, and if so find its inverse, find the additive and multiplicative identities, compute the order of an ideal, solve linear equations over rings, decide whether an ideal is maximal, find annihilators, and test the injectivity and surjectivity of ring homomorphisms. These problems appear to be hard classically.Comment: 5 page

A linear time algorithm for the orbit problem over cyclic groups

The orbit problem is at the heart of symmetry reduction methods for model checking concurrent systems. It asks whether two given configurations in a concurrent system (represented as finite strings over some finite alphabet) are in the same orbit with respect to a given finite permutation group (represented by their generators) acting on this set of configurations by permuting indices. It is known that the problem is in general as hard as the graph isomorphism problem, whose precise complexity (whether it is solvable in polynomial-time) is a long-standing open problem. In this paper, we consider the restriction of the orbit problem when the permutation group is cyclic (i.e. generated by a single permutation), an important restriction of the problem. It is known that this subproblem is solvable in polynomial-time. Our main result is a linear-time algorithm for this subproblem.Comment: Accepted in Acta Informatica in Nov 201

Isogenies of Elliptic Curves: A Computational Approach

Isogenies, the mappings of elliptic curves, have become a useful tool in cryptology. These mathematical objects have been proposed for use in computing pairings, constructing hash functions and random number generators, and analyzing the reducibility of the elliptic curve discrete logarithm problem. With such diverse uses, understanding these objects is important for anyone interested in the field of elliptic curve cryptography. This paper, targeted at an audience with a knowledge of the basic theory of elliptic curves, provides an introduction to the necessary theoretical background for understanding what isogenies are and their basic properties. This theoretical background is used to explain some of the basic computational tasks associated with isogenies. Herein, algorithms for computing isogenies are collected and presented with proofs of correctness and complexity analyses. As opposed to the complex analytic approach provided in most texts on the subject, the proofs in this paper are primarily algebraic in nature. This provides alternate explanations that some with a more concrete or computational bias may find more clear.Comment: Submitted as a Masters Thesis in the Mathematics department of the University of Washingto

Computing Small Certificates of Inconsistency of Quadratic Fewnomial Systems

B{\'e}zout 's theorem states that dense generic systems of n multivariate quadratic equations in n variables have 2 n solutions over algebraically closed fields. When only a small subset M of monomials appear in the equations (fewnomial systems), the number of solutions may decrease dramatically. We focus in this work on subsets of quadratic monomials M such that generic systems with support M do not admit any solution at all. For these systems, Hilbert's Nullstellensatz ensures the existence of algebraic certificates of inconsistency. However, up to our knowledge all known bounds on the sizes of such certificates -including those which take into account the Newton polytopes of the polynomials- are exponential in n. Our main results show that if the inequality 2|M| -- 2n $\le$ \sqrt 1 + 8{\nu} -- 1 holds for a quadratic fewnomial system -- where {\nu} is the matching number of a graph associated with M, and |M| is the cardinality of M -- then there exists generically a certificate of inconsistency of linear size (measured as the number of coefficients in the ground field K). Moreover this certificate can be computed within a polynomial number of arithmetic operations. Next, we evaluate how often this inequality holds, and we give evidence that the probability that the inequality is satisfied depends strongly on the number of squares. More precisely, we show that if M is picked uniformly at random among the subsets of n + k + 1 quadratic monomials containing at least $\Omega$(n 1/2+$\epsilon$) squares, then the probability that the inequality holds tends to 1 as n grows. Interestingly, this phenomenon is related with the matching number of random graphs in the Erd{\"o}s-Renyi model. Finally, we provide experimental results showing that certificates in inconsistency can be computed for systems with more than 10000 variables and equations.Comment: ISSAC 2016, Jul 2016, Waterloo, Canada. Proceedings of ISSAC 201